1. Field of the Invention
The present invention generally relates to secure information handling systems and, more particularly, to information handling systems in the form of an Electronic Funds Transfer or Point of Sales (EFT/POS) network with a large number of terminals wherein information is protected by cryptographic techniques. The invention specifically relates to cryptographic key initialization techniques for such systems and requires a Key Distribution Center (KDC) to manage the keys. The KDC has a Public Key (PKkdc) and a Secret Key (SKkdc), with the PKkdc being installed at each terminal in the system. The procedure according to the invention requires a person to be designated for each terminal to carry out an initialization procedure that initializes a terminal or user key at the KDC. Transportation and distribution of keys via couriers is eliminated.
2. Description of the Prior Art
Cryptographic methods are required whenever information must be sent securely through an uncontrolled, possibly hostile, environment such as a communications network. To employ these methods requires the initialization of system nodes with cryptographic variables, i.e., cryptographic keys. Initiatialization procedures are required for networks with large numbers, perhaps hundreds of thousands, of terminals in locations with low physical security. Such networks are typified by modern Electronic Funds Transfer (EFT) and Point of Sale (POS) networks such as those used by interstate banking and retailing establishments.
Normally, security personnel are employed to initialize a system with cryptographic keys. In an implementation using a symmetric algorithm, such as the Data Encryption Algorithm (DEA), trusted personnel must handle secret keys. In an implementation using an asymmetric algorithm such as the Rivest, Shamir, Adleman algorithm (RSA), trusted personnel might also initialize the system with secret keys, although here it is possible to require only public keys to be distributed. (An asymmetric algorithm is also referred to as a Public Key Algorithm (PKA).) In the latter approach, the required secret key and corresponding public key are generated internally by the node. The secret key is stored whereas the public key is displayed so that it can be distributed by security personnel to the appropriate node communicating with the terminal. (A channel with integrity is required since otherwise a fake public key, corresponding to a fake secret key, might be accepted by the authenticating node.)
As the number of terminals in a network grows, one might expect that a certain economy-of-scale would come into play to reduce the overall cost of distributing keys using security personnel (e.g., couriers). However, current projections indicate quite the opposite, and it is expected that the cost of key distribution using couriers will grow at least proportionally with the number of terminals, and perhaps even more. Although it is true that travel distances between sites serviced by such couriers might well be reduced as more and more nodes are located within a given geographical area, the increased work in scheduling and coordinating courier visits at these sites would undoubtedly more than offset this expected advantage. Another major difficulty would involve smaller networks joining with larger networks, or joining of several small networks into one large network. The problem is that a small network joining a large network might well find that key distribution is not limited to only the small network. It might require key distribution across the total network.
An early approach to key distribution, the courier-based distribution of secret keys is well known in the art. One of the first proposals for handling key distribution with a PK algorithm simply involved the exchange of public keys over a communication channel by a pair of devices wishing to communicate. This technique, however, lacked integrity since it was possible for an adversary to pose as a genuine node merely by sending his public key to another party in the network. An adversary could also perform an active attack against two devices intending to enter into a communication by intercepting the exchanged public keys and forwarding his own public key to the respective devices. This would allow the adversary to intercept, decrypt, read, and reencrypt all communications from one device to another.
Another proposal for distributing public keys was to register them with a key distribution center. Anyone wishing to communicate with a particular party would first contact the KDC to obtain a copy of that party's public key. To provide integrity, the KDC would prepare a short message containing the public key and the ID of the device or user to which the key belonged and the "sign" this message by decrypting the message using the secret key of the KDC. In advance, the public key of the KDC would be distributed to each node or device in the system, which could then be used to validate the message containing the public key and signature received from the KDC by encrypting the received signature with the public key. This then provided a path with integrity to distribute the public keys of each user or device. There remains, however, the issue of integrity of the keys during registration. As the initial registration process could merely consist of communicating the public key to the KDC in some sort of message saying that this is my key and please register it, an adversary could falsely register a public key in the name of someone else.
Racal-Milgo has implemented a method of key distribution via a PK algorithm. Aware of the potential for spoofing, Racal-Milgo implemented an anti-spoofing procedure involving a telephone call in which the parties verified their respective public keys by comparing verification information calculated on the public keys. Briefly, two parties who wish to communicate each generate a public key/secret key pair and then exchange their public keys via the communication channel. Upon receipt of the public key, each party calculates a prescribed function of the public key. The parties then contact each other via telephone and exchange the calculated values, which are then verified by the originating parties. If the correct values are communicated, then each party has received the correct public key. This procedure is described in an article entitled "Public Key Security" by C. R. Abbruscato published in the December 1984 issue of Telecommunications. The weak link in this anti-spoofing defence is that the telephone channel itself must have integrity or the callers must recognize each other's voice.
Bell Telephone Laboratories has described a similar technique for anti-spoofing which pre-dates the Racal-Milgo technique. Bell's technique involves verifying the public keys by calculating and mailing the key validation information to the originating node instead of communicating the information by voice over a telephone communication channel. Otherwise, the concept is the same. The procedure is described in an article by Frank H. Myers entitled "A Data Link Encryption System", NTC Conference Record, National Telecommunications Conference, Washington, D.C., Nov. 27-29, 1979. Again this anti-spoofing defense requires that the postal system handling mail have integrity, else the anti-spoofing check could again be spoofed.
In a recent paper, Carl H. Meyer and Stephen M. Matyas describe a method of key installation/distribution. See "Installation and Distribution of Cryptographic Variables in an EFT/POS Network with a Large Number of Terminals", Proceedings of SECURICOM 86 (1986). This approach calls for the installation of the secret terminal keys at a trusted node, for example, a Key Distribution Center (KDC). The terminals with their installed keys are then transported to their final destinations. The secret initial terminal key is protected during transport (initial key distribution) by a secure hardware design defined a Tamper Resistant Module (TRM) which appears to achieve the highest degree of key protection. This procedure has the same degree of complexity and security whether the employed cryptographic algorithm is symmetric (e.g., the Data Encryption Algorithm (DEA)) or symmetric (e.g., the Rivest, Shamir, Adleman algorithm (RSA)).
Another approach allows the initial secret terminal keys to be distributed with key mailers, similar to the procedures used to distribute Personal Identification Numbers (PINs). Although this approach of initial key distribution is less costly and does not require terminal initialization at a trusted node, it is less secure since it is easier to obtain secret information by intercepting mail than by attacking a TRM design.
With the trend toward networks with hundreds of thousands of terminal devices, the need for cost effective, practical, and secure techniques for the distribution of cryptographic keys poses a special challange to the designer of a crypotgraphic system. The need for secret cryptographic keys at each system node can be demonstrated by one of the more important security requirements; i.e., the requirement to assure unaltered transmission of messages between network nodes. If this requirement is satisfied, it is said that the messages have integrity. To achieve this requires the introduction of cryptographic error detection codes. Such a code must be a function of the message and a secret quantity such that even a minute change in the message will have a corresponding change in the code. A secret quantity is required in generating this code in order that only the owner of such a secret key can generate a valid quantity. (The cryptographic concepts used applies to a check for message integrity as well as to assure the integrity and authenticity of other entities such as system nodes, cryptographic keys, and system users.) Consequently, the requirement to provide message integrity checks dictates the installation of secret keys in all system nodes.
Another problem posed by large networks is how to provide sufficient message security, integrity as well as secrecy, in an environment where the network entry point devices have low physical security. A low cost POS terminal installed in a supermarket is a good example of this. In such an environment, it would be unwise to store a secret key in terminals that would compromise network security beyond that of the single terminal, should the key become compromised. Also it would be advantageous if the compromise of such a key would not allow an adversary to decrypt previously transmitted and intercepted data.
The anticipated cost and other associated problems with courier-based key distribution in networks with very large numbers of nodes has caused a heightened concern to find better, less expensive, and equally secure methods of key distribution than traditional courier-based methods.
As further background to the present invention, the reader may make reference to U.S. Pat. No. 4,200,770 to Hellman et al, U.S. Pat. No. 4,218,582 to Hellman et al and U.S. Pat. No. 4,405,829 to Rivest et al for discussions of public key algorithms. Also of interest is U.S. Pat. No. 4,206,315 to Matyas et al which describes on column 4, line 62, to column 6, line 17, the generation of a message and signature. U.S. Pat. No. 4,386,234 to Ehrsam et al describes at column 5, lines 26 to 42, a terminal with an integrated security device. This device is the cryptographic facility which is described by Meyer and Matyas in Cryptography: A New Dimension in Computer Data Security, John Wiley & Sons (1982), at pages 222 to 226. U.S. Pat. No. 4,238,853 to Ehrsam et al shows in FIG. 9 and describes in the text on column 20, lines 49 to 68, and column 21, lines 1 to 9, a procedure for generation of random numbers which can be used by the host data security device (i.e., cryptographic facility) as part of a process of generating cyrptographic keys. In the same patent, at column 4, lines 54 to 68, and column 5, lines 1 to 51, there is a description of the host data security device and the key generation process.